stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

up

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-14 23:20:14 +02:00
parent 3411e825cd
commit b058dbe031
356 changed files with 68310 additions and 1108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

199
docs/market/claims-citation-index.md Normal file
View File

@@ -0,0 +1,199 @@
# Competitive Claims Citation Index
## Purpose
This document is the **authoritative source** for all competitive positioning claims made by StellaOps. All marketing materials, sales collateral, and documentation must reference claims from this index to ensure accuracy and consistency.
**Last Updated:** 2025-12-14
**Next Review:** 2026-03-14
---
## Claim Categories
### 1. Determinism Claims
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| DET-001 | "StellaOps produces bit-identical scan outputs given identical inputs" | `tests/determinism/` golden fixtures; CI workflow `scanner-determinism.yml` | High | 2025-12-14 | 2026-03-14 |
| DET-002 | "All CVSS scoring decisions are receipted with cryptographic InputHash" | `ReceiptBuilder.cs:164-190`; InputHash computation implementation | High | 2025-12-14 | 2026-03-14 |
| DET-003 | "No competitor offers deterministic replay manifests for audit-grade reproducibility" | Source audit: Trivy v0.55, Grype v0.80, Snyk CLI v1.1292 | High | 2025-12-14 | 2026-03-14 |
### 2. Reachability Claims
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| REACH-001 | "Hybrid static + runtime reachability analysis reduces noise by 60-85%" | `docs/product-advisories/14-Dec-2025 - Reachability Analysis Technical Reference.md` | High | 2025-12-14 | 2026-03-14 |
| REACH-002 | "Signed reachability graphs with DSSE attestation" | `src/Attestor/` module; DSSE envelope implementation | High | 2025-12-14 | 2026-03-14 |
| REACH-003 | "~85% of critical vulnerabilities in containers are in inactive code" | Sysdig 2024 Container Security Report (external) | Medium | 2025-11-01 | 2026-02-01 |
| REACH-004 | "Multi-language support: Java, C#, Go, JavaScript, TypeScript, Python" | Language analyzer implementations in `src/Scanner/Analyzers/` | High | 2025-12-14 | 2026-03-14 |
### 3. VEX & Lattice Claims
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| VEX-001 | "OpenVEX lattice semantics with deterministic state transitions" | `src/Excititor/` VEX engine; lattice documentation | High | 2025-12-14 | 2026-03-14 |
| VEX-002 | "VEX consensus from multiple sources (vendor, tool, analyst)" | `VexConsensusRefreshService.cs`; consensus algorithm | High | 2025-12-14 | 2026-03-14 |
| VEX-003 | "Seven-state lattice: CR, SR, SU, DT, DV, DA, U" | `docs/product-advisories/14-Dec-2025 - Triage and Unknowns Technical Reference.md` | High | 2025-12-14 | 2026-03-14 |
### 4. Attestation Claims
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| ATT-001 | "DSSE-signed attestations for all evidence artifacts" | `src/Attestor/StellaOps.Attestor.Envelope/` | High | 2025-12-14 | 2026-03-14 |
| ATT-002 | "Optional Sigstore Rekor transparency logging" | `src/Attestor/StellaOps.Attestor.Rekor/` integration | High | 2025-12-14 | 2026-03-14 |
| ATT-003 | "in-toto attestation format support" | in-toto predicates in attestation module | High | 2025-12-14 | 2026-03-14 |
| ATT-004 | "Regional crypto support: eIDAS, FIPS, GOST, SM" | `StellaOps.Cryptography` with plugin architecture | Medium | 2025-12-14 | 2026-03-14 |
### 5. Offline & Air-Gap Claims
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| OFF-001 | "Full offline/air-gap operation capability" | `docs/airgap/`; offline kit implementation | High | 2025-12-14 | 2026-03-14 |
| OFF-002 | "Offline scans produce identical results to online (same advisory date)" | `docs/airgap/offline-parity-verification.md` (pending) | Medium | TBD | TBD |
| OFF-003 | "Risk bundles include NVD, KEV, EPSS data" | `docs/airgap/risk-bundles.md`; bundle manifest schema | High | 2025-12-14 | 2026-03-14 |
| OFF-004 | "DSSE-signed offline bundles for integrity verification" | Bundle signing implementation | High | 2025-12-14 | 2026-03-14 |
### 6. CVSS & Risk Scoring Claims
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| CVSS-001 | "Full CVSS v4.0 MacroVector-based scoring with 324 lookup combinations" | `MacroVectorLookup.cs` | High | 2025-12-14 | 2026-03-14 |
| CVSS-002 | "Support for CVSS v2.0, v3.0, v3.1, and v4.0 vectors" | `CvssV2Engine.cs`, `CvssV3Engine.cs`, `CvssEngineFactory.cs` | High | 2025-12-14 | 2026-03-14 |
| CVSS-003 | "Threat Metrics (Exploit Maturity) integration per v4.0 spec" | `CvssV4Engine.cs:365-375` | High | 2025-12-14 | 2026-03-14 |
| CVSS-004 | "EPSS percentile-based risk bonuses (99th=+10%, 90th=+5%, 50th=+2%)" | `CvssKevEpssProvider.cs` | High | 2025-12-14 | 2026-03-14 |
| CVSS-005 | "KEV (Known Exploited Vulnerabilities) +20% risk bonus" | `CvssKevProvider.cs:33` | High | 2025-12-14 | 2026-03-14 |
### 7. SBOM Claims
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| SBOM-001 | "SPDX 3.0.1 and CycloneDX 1.6 output formats" | SBOM generator implementations | High | 2025-12-14 | 2026-03-14 |
| SBOM-002 | "Multi-ecosystem support: APK, DEB, RPM, npm, Maven, NuGet, PyPI, Go, Cargo" | Ecosystem analyzers in `src/Scanner/` | High | 2025-12-14 | 2026-03-14 |
| SBOM-003 | "Deterministic SBOM generation (same image = same SBOM)" | SBOM determinism tests | High | 2025-12-14 | 2026-03-14 |
---
## Competitive Comparison Claims
### vs. Trivy
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| COMP-TRIVY-001 | "Trivy lacks lattice VEX semantics (boolean only)" | Trivy v0.55.0 source: `pkg/vex/` | High | 2025-12-14 | 2026-03-14 |
| COMP-TRIVY-002 | "Trivy lacks deterministic replay manifests" | Trivy v0.55.0 source audit | High | 2025-12-14 | 2026-03-14 |
| COMP-TRIVY-003 | "Trivy lacks native reachability analysis" | Trivy v0.55.0 feature matrix | High | 2025-12-14 | 2026-03-14 |
### vs. Grype
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| COMP-GRYPE-001 | "Grype lacks DSSE attestation signing" | Grype v0.80.0 source audit | High | 2025-12-14 | 2026-03-14 |
| COMP-GRYPE-002 | "Grype lacks VEX state lattice (affected/not_affected only)" | Grype v0.80.0 VEX implementation | High | 2025-12-14 | 2026-03-14 |
| COMP-GRYPE-003 | "Grype lacks CVSS v4.0 scoring" | Grype v0.80.0 feature matrix | Medium | 2025-12-14 | 2026-03-14 |
### vs. Snyk
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| COMP-SNYK-001 | "Snyk lacks deterministic replay manifests" | Snyk CLI v1.1292 audit | High | 2025-12-14 | 2026-03-14 |
| COMP-SNYK-002 | "Snyk's reachability is limited to specific languages" | Snyk documentation review | Medium | 2025-12-14 | 2026-03-14 |
| COMP-SNYK-003 | "Snyk lacks offline/air-gap capability" | Snyk architecture documentation | High | 2025-12-14 | 2026-03-14 |
---
## Confidence Levels
| Level | Percentage | Definition |
|-------|------------|------------|
| **High** | 80-100% | Verified against source code or authoritative documentation |
| **Medium** | 50-80% | Based on documentation or limited testing; needs deeper verification |
| **Low** | <50% | Unverified or based on indirect evidence; requires validation |
---
## Update Process
### Verification Schedule
1. **Quarterly Review**: All claims reviewed every 90 days
2. **Major Version Triggers**: Re-verify when competitors release major versions
3. **Market Events**: Re-verify after significant market announcements
### Verification Steps
1. **Source Audit**: Review competitor source code (if open source)
2. **Documentation Review**: Check official documentation
3. **Feature Testing**: Test specific features when possible
4. **Third-Party Sources**: Cross-reference analyst reports
### Update Workflow
```
1. Identify claim requiring update
2. Conduct verification per type
3. Update evidence column
4. Update confidence level if changed
5. Set new verified date
6. Set next review date
7. Document changes in execution log
```
---
## Deprecation Policy
### Stale Claims
Claims older than **6 months** without verification are marked **STALE**:
- STALE claims must NOT be used in external communications
- STALE claims require immediate re-verification or removal
- Marketing team notified of all STALE claims
### Invalidated Claims
When a claim becomes false (e.g., competitor adds feature):
1. Mark claim as **INVALID**
2. Remove from all active materials within 7 days
3. Update competitive documentation
4. Notify stakeholders
---
## Usage Guidelines
### For Marketing
- Reference claims by ID (e.g., "Per DET-001...")
- Include verification date in footnotes
- Do not paraphrase claims without SME review
### For Sales
- Use claims matrix for competitive conversations
- Check confidence levels before customer commitments
- Report feedback on claim accuracy
### For Documentation
- Link to this index for competitive statements
- Update cross-references when claims change
- Flag questionable claims to Docs Guild
---
## Execution Log
| Date | Update | Owner |
|------|--------|-------|
| 2025-12-14 | Initial claims index created | Docs Guild |
| 2025-12-14 | Added CVSS v2/v3 engine claims (CVSS-002) | AI Implementation |
| 2025-12-14 | Added EPSS integration claims (CVSS-004) | AI Implementation |
---
## References
- `docs/product-advisories/14-Dec-2025 - CVSS and Competitive Analysis Technical Reference.md`
- `docs/market/competitive-landscape.md`
- `docs/benchmarks/accuracy-metrics-framework.md`

117
docs/market/competitive-landscape.md
View File

@@ -1,45 +1,74 @@
# Competitive Landscape (Nov 2025)
Source: internal advisory 23-Nov-2025 - Stella Ops vs Competitors. Supersedes/extends prior competitive notes (none published); treat this as canonical until a newer dated advisory arrives. This summary distils the 15-vendor comparison into actionable positioning notes and links back to the full matrix for sales/PMM.
Source: internal advisory "23-Nov-2025 - Stella Ops vs Competitors". Supersedes/extends prior competitive notes (none published); treat this as canonical until a newer dated advisory arrives. This summary distils the 15-vendor comparison into actionable positioning notes and links back to the full matrix for sales/PMM.
## StellaOps moats (why we win)
- **Deterministic replay:** feed+rules snapshotting; graph/SBOM/VEX re-run bit-for-bit with manifest hashes.
- **Hybrid reachability attestations:** graph-level DSSE always; optional edge-bundle DSSE for runtime/init/contested edges; Rekor-backed with publish caps.
- **Lattice-based VEX engine:** merges advisories, runtime hits, reachability, waivers with explainable paths.
- **Crypto sovereignty:** FIPS/eIDAS/GOST/SM/PQC profiles and offline mirrors as first-class knobs.
- **Proof graph:** DSSE + transparency across SBOM, call-graph, VEX, replay manifests.
---
## Verification Metadata
| Field | Value |
|-------|-------|
| **Last Updated** | 2025-12-14 |
| **Last Verified** | 2025-12-14 |
| **Next Review** | 2026-03-14 |
| **Claims Index** | [`docs/market/claims-citation-index.md`](claims-citation-index.md) |
| **Verification Method** | Source code audit (OSS), documentation review, feature testing |
**Confidence Levels:**
- **High (80-100%)**: Verified against source code or authoritative documentation
- **Medium (50-80%)**: Based on documentation or limited testing; needs deeper verification
- **Low (<50%)**: Unverified or based on indirect evidence; requires validation
---
## Stella Ops moats (why we win)
| Moat | Description | Claim IDs | Confidence |
|------|-------------|-----------|------------|
| **Deterministic replay** | Feed+rules snapshotting; graph/SBOM/VEX re-run bit-for-bit with manifest hashes | DET-001, DET-002, DET-003 | High |
| **Hybrid reachability attestations** | Graph-level DSSE always; optional edge-bundle DSSE for runtime/init/contested edges; Rekor-backed | REACH-001, REACH-002, ATT-001, ATT-002 | High |
| **Lattice-based VEX engine** | Merges advisories, runtime hits, reachability, waivers with explainable paths | VEX-001, VEX-002, VEX-003 | High |
| **Crypto sovereignty** | FIPS/eIDAS/GOST/SM/PQC profiles and offline mirrors as first-class knobs | ATT-004 | Medium |
| **Proof graph** | DSSE + transparency across SBOM, call-graph, VEX, replay manifests | ATT-001, ATT-002, ATT-003 | High |
## Top takeaways (sales-ready)
1. No competitor offers deterministic replay with frozen feeds; we do.
2. None sign reachability graphs; we sign graphs and (optionally) edges.
3. Sovereign crypto profiles (FIPS/eIDAS/GOST/SM/PQC) are unique to StellaOps.
4. Lattice VEX + explainable paths is unmatched; others ship boolean VEX or none at all.
5. Offline/air-gap readiness with mirrored transparency is rare; we ship it by default.
| # | Claim | Claim IDs | Confidence |
|---|-------|-----------|------------|
| 1 | No competitor offers deterministic replay with frozen feeds; we do | DET-003 | High |
| 2 | None sign reachability graphs; we sign graphs and (optionally) edges | REACH-002 | High |
| 3 | Sovereign crypto profiles (FIPS/eIDAS/GOST/SM/PQC) are unique to Stella Ops | ATT-004 | Medium |
| 4 | Lattice VEX + explainable paths is unmatched; others ship boolean VEX or none at all | VEX-001, COMP-TRIVY-001, COMP-GRYPE-002 | High |
| 5 | Offline/air-gap readiness with mirrored transparency is rare; we ship it by default | OFF-001, OFF-004 | High |
## Where others fall short (high level)
- **No deterministic replay:** none of the 15 provide hash-stable, replayable scans with frozen feeds.
- **No lattice/VEX merge:** VEX is absent or bolt-on; no trust algebra elsewhere.
- **Attestation gaps:** most rely on Cosign-only or have no DSSE/Rekor story; none sign reachability graphs.
- **Offline/sovereign:** weak or SaaS-only; no regional crypto options.
| Gap | Description | Related Claims | Verified |
|-----|-------------|----------------|----------|
| **No deterministic replay** | None of the 15 provide hash-stable, replayable scans with frozen feeds | DET-003, COMP-TRIVY-002, COMP-GRYPE-001, COMP-SNYK-001 | 2025-12-14 |
| **No lattice/VEX merge** | VEX is absent or bolt-on; no trust algebra elsewhere | COMP-TRIVY-001, COMP-GRYPE-002 | 2025-12-14 |
| **Attestation gaps** | Most rely on Cosign-only or have no DSSE/Rekor story; none sign reachability graphs | COMP-GRYPE-001, REACH-002 | 2025-12-14 |
| **Offline/sovereign** | Weak or SaaS-only; no regional crypto options | COMP-SNYK-003, ATT-004 | 2025-12-14 |
## Snapshot table (condensed)
| Vendor | SBOM Gen | SBOM Ingest | Attest (DSSE) | Rekor | Offline | Primary gaps vs Stella |
| ------------------- | -------- | ----------- | ------------- | ----- | ------- | ---------------------- |
| Trivy | Yes | Yes | Cosign | Query | Strong | No replay, no lattice |
| Syft/Grype | Yes | Yes | Cosign-only | Indir | Medium | No replay, no lattice |
| Snyk | Yes | Limited | No | No | Weak | No attest/VEX/replay |
| Prisma | Yes | Limited | No | No | Strong | No attest/replay |
| AWS (Inspector/Signer)| Partial| Partial | Notary v2 | No | Weak | Closed, no replay |
| Google | Yes | Yes | Yes | Opt | Weak | No offline/lattice |
| GitHub | Yes | Partial | Yes | Yes | No | No replay/crypto opts |
| GitLab | Yes | Limited | Partial | No | Medium | No replay/lattice |
| Microsoft Defender | Partial | Partial | No | No | Weak | No attest/reachability |
| Anchore Enterprise | Yes | Yes | Some | No | Good | No sovereign crypto |
| JFrog Xray | Yes | Yes | No | No | Medium | No attest/lattice |
| Tenable | Partial | Limited | No | No | Weak | Not SBOM/VEX-focused |
| Qualys | Limited | Limited | No | No | Medium | No attest/lattice |
| Rezilion | Yes | Yes | No | No | Medium | Runtime-only; no DSSE |
| Chainguard | Yes | Yes | Yes | Yes | Medium | No replay/lattice |
| Vendor | SBOM Gen | SBOM Ingest | Attest (DSSE) | Rekor | Offline | Primary gaps vs Stella | Related Claims |
|--------|----------|-------------|---------------|-------|---------|------------------------|----------------|
| Trivy | Yes | Yes | Cosign | Query | Strong | No replay, no lattice | COMP-TRIVY-001, COMP-TRIVY-002, COMP-TRIVY-003 |
| Syft/Grype | Yes | Yes | Cosign-only | Indir | Medium | No replay, no lattice | COMP-GRYPE-001, COMP-GRYPE-002, COMP-GRYPE-003 |
| Snyk | Yes | Limited | No | No | Weak | No attest/VEX/replay | COMP-SNYK-001, COMP-SNYK-002, COMP-SNYK-003 |
| Prisma | Yes | Limited | No | No | Strong | No attest/replay | |
| AWS (Inspector/Signer) | Partial | Partial | Notary v2 | No | Weak | Closed, no replay | |
| Google | Yes | Yes | Yes | Opt | Weak | No offline/lattice | |
| GitHub | Yes | Partial | Yes | Yes | No | No replay/crypto opts | |
| GitLab | Yes | Limited | Partial | No | Medium | No replay/lattice | |
| Microsoft Defender | Partial | Partial | No | No | Weak | No attest/reachability | |
| Anchore Enterprise | Yes | Yes | Some | No | Good | No sovereign crypto | |
| JFrog Xray | Yes | Yes | No | No | Medium | No attest/lattice | |
| Tenable | Partial | Limited | No | No | Weak | Not SBOM/VEX-focused | |
| Qualys | Limited | Limited | No | No | Medium | No attest/lattice | |
| Rezilion | Yes | Yes | No | No | Medium | Runtime-only; no DSSE | |
| Chainguard | Yes | Yes | Yes | Yes | Medium | No replay/lattice | |
## How to use this doc
- Sales/PMM: pull talking points and the gap list when building battlecards.
@@ -51,26 +80,27 @@ Source: internal advisory “23-Nov-2025 - Stella Ops vs Competitors”. Superse
- Architecture: `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- Reachability moat details: `docs/reachability/lead.md`
- Source advisory: `docs/product-advisories/23-Nov-2025 - Stella Ops vs Competitors.md`
- **Claims Citation Index**: [`docs/market/claims-citation-index.md`](claims-citation-index.md)
---
## Battlecard Appendix (snippet-ready)
**One-liners**
- *Replay or its noise:* Only StellaOps can re-run a scan bit-for-bit from frozen feeds.
- *Signed reachability, not guesses:* Graph DSSE always; optional edge DSSE for runtime/init edges.
- *Sovereign-first:* FIPS/eIDAS/GOST/SM/PQC profiles and offline mirrors are first-class toggles.
- *Trust algebra:* Lattice VEX merges advisories, reachability, runtime, waivers with explainable paths.
- *Replay or it's noise:* Only Stella Ops can re-run a scan bit-for-bit from frozen feeds. [DET-003]
- *Signed reachability, not guesses:* Graph DSSE always; optional edge DSSE for runtime/init edges. [REACH-002]
- *Sovereign-first:* FIPS/eIDAS/GOST/SM/PQC profiles and offline mirrors are first-class toggles. [ATT-004]
- *Trust algebra:* Lattice VEX merges advisories, reachability, runtime, waivers with explainable paths. [VEX-001]
**Proof points**
- Deterministic replay manifests; BLAKE3 graph hashes; DSSE + Rekor for graphs (edge bundles optional).
- Hybrid reachability: graph-level attestations plus capped edge-bundle attestations to avoid Rekor flood.
- Offline: transparency mirrors + sealed bundles keep verification working air-gapped.
- Deterministic replay manifests; BLAKE3 graph hashes; DSSE + Rekor for graphs (edge bundles optional). [DET-001, DET-002]
- Hybrid reachability: graph-level attestations plus capped edge-bundle attestations to avoid Rekor flood. [REACH-001, REACH-002]
- Offline: transparency mirrors + sealed bundles keep verification working air-gapped. [OFF-001, OFF-003, OFF-004]
**Objection handlers**
- “We already sign SBOMs.” → Do you sign call-graphs and VEX? Do you replay scans bit-for-bit? We do.
- Cosign/Rekor is enough.” → Without deterministic manifests + reachability proofs, you cant audit why a vuln was reachable.
- “Our runtime traces show reachability.” → We combine runtime hits with signed static graphs and VEX lattice; evidence is replayable and quarantinable edge-by-edge.
- "We already sign SBOMs." Do you sign call-graphs and VEX? Do you replay scans bit-for-bit? We do. [DET-001, REACH-002]
- "Cosign/Rekor is enough." Without deterministic manifests + reachability proofs, you can't audit why a vuln was reachable. [DET-003]
- "Our runtime traces show reachability." We combine runtime hits with signed static graphs and VEX lattice; evidence is replayable and quarantinable edge-by-edge. [REACH-001, VEX-002]
**CTA for reps**
- Demo: show `stella graph verify --graph <hash>` with and without edge-bundle verification.
@@ -78,3 +108,4 @@ Source: internal advisory “23-Nov-2025 - Stella Ops vs Competitors”. Superse
## Sources
- Full advisory: `docs/product-advisories/23-Nov-2025 - Stella Ops vs Competitors.md`
- Claims Citation Index: `docs/market/claims-citation-index.md`